Low-Level TLS Hacking

Transcription

1 Low-Level TLS Hacking Presented by Richard J. Moore E:

2 Presentation Outline An introduction to SSL/TLS Using pytls to create and decode TLS messages Fingerprinting TLS servers Fingerprinting the wider TLS landscape

3 Brief intro to SSL/TLS TLS is a layered protocol Lowest layer is the record layer The same record format is used in SSL3, TLS Binary protocol Symmetrical the same record format is used in both directions

4 TLS Record Structure Content Type Version Length Message MAC (optional) Padding (optional)

5 Content Types Handshake message ChangeCipherSpec Error reporting Application Activates the crypto Alert Messages used to setup the crypto parameters The actual data Heartbeat Probably the most famous

6 TLS handshake messages The initial messages of a TLS session use the handshake protocol The ClientHello and ServerHello are the ones you ve probably heard of Certificate messages containing the server certificate Handshake messages provide all the information needed to establish a secure connection

7 ClientHello Preferred TLS version of the client Ciphersuites the client supports Client random data Extensions the client supports Server Name Indication Secure Renegotiation Many more Also other information such as the session id if we re reusing a session

8 ServerHello Selected TLS version Selected ciphersuite Server random data Similar to ClientHello but the server has decided on the cipher and version Extensions the server supports Empty extensions indicating support Extensions containing data (e.g. for EC cipher suites)

9 Saying hello ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished

10 TLS is not easy on the eye

11 Heartbleed with pytls

12 pytls A python library for creating TLS messages Easily create TLS records, handshake messages etc. Easily decode messages from the binary format Lets us deal with TLS as objects, no need to worry about the actual format Low-level tool Create valid and invalid messages Send messages in the wrong order

13 Creating handshake messages

14 Creating records with pytls Just create the object, it's that simple Supplying the length is optional Default is to use the correct length Can override to generate invalid records The message field is the actual content Records are normally populated with messages created by pytls, but it is happy to put anything you want in the record

15 Write new tests quickly

16 DH prime check in minutes

17 Low-level facilities Most cipher testing scripts try to connect with each cipher What if the connection fails for another reason? Does the server need a client certificate we don't have? The cipher has already been sent in the ServerHello

18 Also useful for testing clients

19 What else can we do? Writing tests for vulnerabilities is useful, but more is possible Now have a toolbox for working with TLS as a bunch of building blocks Decided to build a server fingerprinting tool

20 Basics of TLS probing There are a number of commonly used TLS stacks Openssl (and variants such as BoringSSL, LibreSSL) Microsoft SChannel Java Secure Socket Extension GnuTLS Less common ones too PolarSSL, MatrixSSL, wolfssl...

21 Lots of small differences The TLS specification is often unclear and implementations aren't perfect Specification allows a single record to contains multiple handshake messages Variations in which Alert messages are sent Some implementations just close the connection on error Implementations vary on what they consider invalid too

22 Example of a Probe TLS records can contain more than one handshake message OpenSSL never does this, but Microsoft and Java do Server Hello Server Hello Certificate Certificate Server Hello Done Server Hello Done Microsoft Schannel or Java SSE OpenSSL

23 TLS Prober TLS prober sends the probes and records the response Only records fields that don't change Microsoft IIS Fingerprint OpenSSL Fingerprint

24 Probing Can fingerprint a server by sending several different probes and recording the responses Probes include Variations in the TLS version numbers Invalid state transitions such as early CCS Invalid lengths Sending complete garbage in a valid record Various valid and invalid Server Name Indication extensions Probe the implementation not the configuration

25 Strengths and Weaknesses Can distinguish every implementation I have found Can even distinguish between specific versions when the fingerprint database is big enough Not affected by common configuration changes such as the cipher configuration Room for improvement though Take steps to address differences in the enabled TLS versions More fingerprints (please submit them!)

26 Probe all the things! Alexa provide a list of the top million websites University of Michigan provide data on which support TLS etc. at We can run the TLS prober over all these! Probing is trivially parallelisable 50 concurrent probes fingerprinted all 686,176 of the top million with port 443 open in 2.5 days Generated around 2GB of fingerprint data...

27 Headline Figures 686,176 targets, 668,809 valid results 17,367 failed to fingerprint (e.g. the port was now closed) 16,051,416 probes recorded Only 10,384 distinct fingerprints Most common fingerprint matches ~18% of the results

28 OpenSSL is king 60% of the probes produced a result matching OpenSSL The IIS signatures only matched 6% of the probes Results are biased by a number of factors Most high traffic sites use content delivery networks Most hardware TLS accelerators use a stack based on OpenSSL The fact remains though, that in practice we have a monoculture for TLS

29 What have we covered? The basics of the TLS protocol format Using pytls to create and decode TLS Using pytls to make readable and customisable vulerability tests Probing TLS implementations to determine the implementation and version Using parallel probing to look at the landscape of deployments in practice

30 Getting the code All the code is available on github pytls tls_prober The parallelised version and the alexa top million data will soon be released too Only 20MB when compressed

31 Questions? Presented by Richard J. Moore E: